COI Report –
Part IIIPage
67 of
425 14.5 Queries to the SCM database from 26 June to 4 July 2018 193. From 26 June 2018, the attacker began querying the database from Citrix Server 2 using the AA. account. Based on the evidence available, it appears that there were three broad types
of Structured Query Language21
(“
SQL”) queries which the attacker ran (i) reconnaissance on the schema of the SCM database, ii) direct queries relating
to particular individuals, and (iii) bulk queries on patients in general. In total, the attacker performed over 200
SQL queries on the SCM database between 26 June 2018 and 4 July 2018.
194. The programs used to make the queries included programs that were legitimately used by IHiS, and also programs not used by IHiS and which were installed by the attacker. The hostnames from which the queries were logged as being made from were those of VM 1, VM 2, and Workstation B. Reconnaissance on the schema of the
SCM database and test queries 195. From 26 June 2018, the attacker began with reconnaissance queries which returned information relating to the schema of the SCM database, including information
on database tables and views, stored procedures, and predefined SQL codes and functions. The purpose of this has been assessed by CSA to be to understand the
SCM database and its design, before making queries on the data.
196. The attacker also executed test queries to understand the types of information in the database, and to confirm its findings from its reconnaissance work. Direct queries relating
to particular individuals 197. Thereafter, the attacker made a number of direct queries
on specific NRIC numbers, including that of the Prime Minister Mr Lee Hsien Loong. The Prime Structured Query Language (SQL) is the standard language for relational database management systems, and is used to communicate with a database.
